Sunday, August 19, 2007

Cracking C3 RTL 8186 Firmware

Some proprietary firmwares are available to provide alot of useful features and options for the RTL8186-based accesspoints. Mine is Senao/Engenius NCB/ECB-3220. From examining the log produced by the firmware (Management->Log), one can see several lines mentioning the firmware, eg:

8186NIC Ethernet driver v0.0.5 (Mar 3, 2006)rtl8186_crypto_init()...

One of the most popular proprietary firmwares is AP router, however, cracking this firmware requires the availability of a serial connection to the accesspoint, a luxury i didn't have. So i searched for other firmwares, C3 popped up. C3 is a Brazilian-only rtl-8186 firmware, that supports much of the features provided by AP router (actually, there is great similarity between the two, even filenames of web server HTML files seem to be identical in a number of respects).

In addition cracking C3 firmware is alot easier than AP router and doesn't require the cable.It seems that when unlicensed the firmware prevents any change to the flash of the accesspoint. upon uploading a firmware of any other accesspoint, the firmware will display Update successful and will change your accesspoint MAC address to that of the license file, disabling the protection on the flash memory of the AP. All you have to do is to change that MAC address to our original address and voila, you have cracked C3 firmware.

The Major disadvantage of C3 firmware is that it doesn't have English support and you

have to get accustomed to see the Portuguese equivalent for some words.

1. Obtain the MAC address of your AP, either from the default firmware or by using SSH

(eg by using Putty for example) Username and password are root, and writing,

flash get HW_NIC1_ADDRflash get ELAN_MAC_ADDR (write ur MAC address or save it somewhere safe.* to install the c3 firmware, either select update firmware from original firmware or check this for the TFTP mode** mind that there are 2 versions of c3 firmware, so select the one that suits ur AP, for me this one did the trick. this however is for Dlink G700AP)2. select Upload de Licença and upload this file to it3. Connect via Putty to the AP and write the following

flash set HW_NIC1_ADDR [ur MAC address without brackets and semicolons]flash set ELAN_MAC_ADDR [ur MAC address without brackets and semicolons]

4. Reboot ur AP, either from the web interface or by writing reboot at the SSH prompt.5. Congrats ur done, grab a dictionary!This work is done based on AreaWireless.Net efforts